As a part of a new series of articles focusing on troubleshooting IAM system issues, this week we have a post about intermittent 500 errors during federation. In each article, we will present the reported issue, what we found during troubleshooting, and how the problem was remedied.
| Issue | A customer reported intermittent HTTP 500 errors during outbound SAML assertion generation |
| Symptoms | When users were attempting to federate to external service providers, they would occasionally receive an HTTP 500 error. If the user refreshed their browser, they would be redirected correctly and their SAML assertion would be posted to the remote service provider. Not all users or requests would receive the 500 error. |
| Troubleshooting | We needed to understand the pattern of failure (including the frequency), but first had to isolate the faulty component(s). We elected to exclude the HA configuration since the environment was non-production; as such, we stopped all but one of the policy servers and ran an outbound federation test. Having found no problem, we disabled the active policy server, enabled one of the others, and tested again. We then repeated the process until all of the policy servers were tested. Testing the policy servers did not yield any issues, so moved on the web servers. We repeated the process with the web servers associated with federation until we received a test failure. We were then able to locate the web server that was causing the HTTP 500 error by examining the FWSTrace.log. |
| Condition | The SiteMinder environment was configured for High Availability (HA) and Federation. |
| Cause | The java.security file in the jre/lib/security directory did not have the Cryptographic Jurisdiction Policy defaults set to unlimited. This was incorrectly set on one web server, thus causing the issue to be intermittent. Similar symptoms could have appeared if only one policy server had the discovered problem. |
| Remedy | We edited the file and uncommented the line ‘crypto.policy=unlimited’. We restarted the web server process and the application server responsible for federation. |
As always, we hope that you have found this information useful. If you need SiteMinder assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
